Okay, Fine, Let’s Talk About Period Tracking: The Detailed Explainer
By Kendra Albert, Maggie Delano, and Emma Weil.
This is a companion explainer to our shorter piece: “fear, uncertainty and period trackers”. We suggest reading the other piece first, as it lays out some of the background for our focus in this piece. In this piece, we lay out where concerns about period tracking come from, what we know about how people use period trackers, how law enforcement could access period tracking information, and then, about why period tracker evidence is bad evidence of pregnancy.
Why should you listen to us?
We’d like to explain why the three of us, with our powers combined, can provide good background on potential uses of period tracking data by law enforcement in the context of the criminalization of abortion.
Kendra is an attorney who practices in technology law at the Cyberlaw Clinic at Harvard Law School. They served as a Distinguished Fellow at the Center on Privacy and Technology at Georgetown Law, where they co-hosted a conference on surveillance of abortion-seekers and people who can become pregnant last week. (That means they have a fair amount of familiarity with the literature on what has actually happened in existing criminalization of people who are or were pregnant.) Kendra has opposed law enforcement requests for information to corporations and nonprofits, and they have also trained defense attorneys on how to handle technical evidence in criminal cases. Most importantly, they work in solidarity with sex workers, which is the best training in security and harm reduction that there is.
Maggie is an engineering professor with a background in self-tracking, and is an Assistant Professor at Swarthmore College. They were co-organizer of the Quantified Self Boston meetup, organizer of a Boston-based Quantified Self meetup for women and non-binary people, and have presented and organized breakouts at multiple Quantified Self conferences. In 2015, Maggie wrote a viral article about how the design of period trackers is exclusionary for users in relationships with people who cannot get them pregnant. Through the article and Quantified Self broadly, Maggie has supported others also negatively impacted by period tracker design, and their work has been featured in multiple books and articles on inclusive design. They also use a period tracker.
Emma is a Policy Analyst at Upturn who has a background in computer science. They co-authored the report Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones, which involved years of technical and legal research into police use of cell phone forensics tools. They have written amicus briefs in multiple court cases regarding warrants for cell phone evidence and the capabilities of cell phone forensics tools (Smith, Morton, Green).
We are also very grateful to the experts who provided very short notice feedback on this piece: Megan Graham, Riana Pfefferkorn, and Kate Bertash. The recommendations and conclusions are ours, not theirs, but we benefited from their expertise tremendously.
Where do concerns about period trackers come from?
It is true that period tracking apps can have information that is relevant to whether someone might have been pregnant and got an abortion. A prolonged period of not menstruating could indicate pregnancy, and then restarting one’s period after might indicate that one had an abortion, and was no longer pregnant. Additionally, for folks that are facing criminalization in states where abortions are illegal past a certain point, the date of someone’s last period may be relevant for that. When we discuss period tracking in this piece, we are assuming that users are not directly logging information that is incriminating, for example, that or when they took Misoprostol/Mifepristone. To riff on Kate Bertash’s Twitter display handle, “don’t record crimes in your period tracking app.” Instead, we’re focused on run-of-the-mill period tracking, since that seems to be what lots of folks are afraid of.
Some advocates have highlighted these apps in particular. The Surveillance Technology Oversight Project released a white paper which says that “Health data apps, particularly period trackers, are a potent source of data for police.” There were a number of popular articles and viral tweets identifying period trackers as a risk vector post-Dobbs back in May. Folks outside the digital security space have echoed these concerns since the decision came down, including Gina Neff, who is an expert on digital health and self-tracking.
Some of these concerns may be rooted in a news item from Missouri. In 2019, the Missouri Department Department of Health stored data on pregnant people’s periods, using a spreadsheet with data gathered from state medical records. This spreadsheet was apparently used to gather information about which patients were still pregnant when they went in for follow up visits. Notably, the abortion clinic, like those in most states, was required to report this information to a state department of public health, so this is not a case where individual patients had any agency in this data being shared once they told their doctor. To be clear, there are legitimate medical reasons why a doctor needs to know when your last period was if you might be pregnant, and so not sharing period information may not be an option, especially if a patient is presenting with vaginal bleeding. Generally, the story out of Missouri affirms the concerns that we’ve heard from experts like Khiara Bridges about the role of medical professionals in gathering data that may be used to investigate and prosecute people, and has echoes in the early history of abortion and coerced confessions documented by people like Leslie Reagan in her book When Abortion Was A Crime.
Beyond Missouri, the theory of why period tracking data would be useful for abortion prosecution is pretty light on details. At “best”, period tracking data could show that you did not log a period for several months, which could indicate pregnancy (it could also indicate other things, as we discuss below). But it’s unclear that proving pregnancy is going to be the most relevant evidentiary matter in the case of a prosecution for an abortion, and even if it is, period tracker data is not particularly convincing data to use. It is far more likely that someone’s messages saying they were pregnant or testimony from someone they told they were pregnant would be used as this kind of evidence.
As Kate Bertash and Cynthia Conti-Cook said in their May op-ed, “although [period trackers] have a direct connection to reproductive cycles, it’s more likely that law enforcement and others will use more common digital activity to determine if someone has searched for abortion pills, communicated with abortion providers or related services, or even if they’ve traveled out of state for care.” In short, in individual cases, there is likely to be better evidence to prove pregnancy/end of pregnancy, and law enforcement could access it more easily.
What do we know about why/how people use period tracking apps?
People use period tracking for a variety of reasons, including self-awareness, for planning purposes (e.g. bringing pads to work), to help get pregnant, to avoid getting pregnant, for medical reasons, and even just out of curiosity. Period trackers themselves have a range of functionality to reflect these different potential use cases, from tracking when menstruation begins to tracking symptoms (acne, anxiety, cramps, etc.) and other relevant information (cervical fluid status, basal body temperature, sexual activity) throughout the menstrual cycle. A basic period tracking app might only allow the logging of when menstruation occurred, but more involved period tracking apps, sometimes designed to assist in conceiving (or avoiding conception), allow logging much more detailed information.
Ultimately, what people log is usually a product of why they’re tracking. For example, many period tracker apps developed in the last decade are specifically focused on helping a person get pregnant. These apps have a lot of logging features beyond tracking when menstruation starts and stops, such as tracking symptoms, cervical fluid, basal body temperature, and more. They often predict when a person is likely to ovulate, helping with the timing of insemination. They also may share information about conception and pregnancy, and provide support through the app or related community forums. Some apps even use notifications about likely menstruation, or to remind users to log symptoms or sexual activity. These features may or may not be relevant for someone not trying to conceive. Individuals not trying to conceive are therefore more likely to use apps that are more general, or that can be customized based on a user’s stated needs.
Likewise, how frequently a person engages with a period tracking app depends on why they are using it (Gambier-Ross et al., 2018). Someone who is using a period tracking app only to log the date their period starts might only open the app when their next cycle begins. On the other hand, someone tracking to get pregnant, to avoid getting pregnant, or for an underlying medical condition is more likely to open the app and log symptoms on a more frequent basis, up to multiple times per day. All of that means that someone who is trying to get pregnant and later decides to terminate a pregnancy is likely to have much more information potentially available than someone who just uses a period tracker to determine when they might need to put an extra tampon in their bag.
What information do period tracking apps save?
The information saved by a period tracking app depends on the specific app. In a 2020 report on menstruation apps and data gathering, Privacy International shared that the period tracking app Clue (iOS and Android), for example, stores information about a specific user (birthday, name, gender, email, etc.) and also information about each request to their server, which included the contents of the request and the user’s location. This includes when a user opens the app. If information is stored with a third party, it might be a good assumption that every interaction with the app is logged.
The Euki app (iOS and Android), on the other hand, is one example of an app that stores all information locally. Additionally, they store no email or profile information, and allow users to set a four digit PIN that must be entered to access the app. It also has a security feature where if a user enters 0000 the app will display blank information. This makes Euki a good choice if you’d like to password protect your information from someone who might otherwise be able to access your phone, such as in domestic violence situations, for teenagers or people who are otherwise concerned about being monitored. Drip (Android only, iOS coming soon) also stores your data locally, but does not currently have a PIN option.
How would law enforcement get access to period tracker data and what might it look like to see it actually get used in an investigation?
Why We Assume an Investigation
In this section, we discuss the police getting access to a specific person’s information. That’s because realistically, that’s what has happened in the context of current criminalization of self-managed abortion, and frankly, in the context of other kinds of criminalization. These risks are different from the persistent invasiveness of corporate monetization under surveillance capitalism, and although some of the recommendations for avoidance are the same, some of them differ.
When you read about concerns about period trackers, there seems to be the view that law enforcement will do a data dump from period tracking apps to identify who in their jurisdiction failed to log a period, so they can then investigate them for “abortion-related crimes”.
We have seen some examples of these kinds of broad requests, specifically, geofence warrants and reverse keyword warrants. But those broad searches are still to investigate a particular crime that happened in a specific location. The theory of the broad period tracking app data searches people seem worried about is untethered from both an underlying crime and a specific person, and that is exactly the context in which judges should refuse to sign a warrant, and companies should push back on it. Additionally, law enforcement officers are resource-constrained (even if it doesn’t feel like it), and investigation of all missed periods is unlikely to result in meaningful efforts beyond potential intimidation. Of course, that might be the point, but again, this is getting into the realm of wild speculation rather than realistic threat assessment based on the current landscape.
More broadly, although there has been widespread concern about the use of quantified self and other types of self-tracking tools by law enforcement, the use of such data in criminal prosecutions has been relatively rare, in part because it requires a lot of contextualization and background to explain, as opposed to “smoking gun” evidence of intent like text messages, searches, etc. Contrary to what courtroom dramas would have us believe, prosecutors are unlikely to introduce complex and circumstantial evidence about behavior unless it’s the best evidence they have. It is possible that we will see more use of self-tracking data over time, however, period tracking apps, even those that store data on third-party servers, are unlikely to be a useful place for law enforcement to start, for the reasons below.
So broadly speaking, there are two ways that law enforcement can get access to your data. The first is via a law enforcement request to a company that has your data, and the second is via your devices. We’ll talk about them in turn. Of course, what the law is and how things “should” work are always different than what happens on the ground, so while our goal is to articulate what the general environment looks like for data requests, the reality is often far less clear-cut and defendant friendly.
Data Stored Off-Device (“in the Cloud”)
Data that exists with third parties (Google, period app companies, etc.) can be requested by police by directly going to the company. Companies vary in their willingness to provide access to law enforcement, and in the amount of legal process they require for information. Some companies (Google, Twitter) actually have quite strict requirements and scrutinize law enforcement requests thoroughly, requiring a warrant (which must be signed off by a judge) before turning over particular information. Others, for example, cell phone carriers, generally are not as serious about protecting user privacy. Additionally, it can be more difficult for smaller organizations to afford the type of legal counsel necessary to oppose law enforcement requests, or to even know that they could.
It’s also easier for companies to resist requests that are not from their jurisdiction. Ultimately, if a company refuses to comply with a law enforcement request for information, law enforcement may need to bring them to court to enforce it. This could make it more difficult for state and local law enforcement to effectively get data from companies outside the United States, even aside from the requirements of privacy under something like the General Data Protection Regulation (GDPR), which Clue has noted would govern any release of information.
Ultimately, the best defense to a subpoena or other law enforcement process is not having data. Companies cannot fulfill subpoenas for information they don’t have or only have in an encrypted format but without the necessary keys to decrypt it. So yes, using period trackers such as Clue, Flo, etc., that store data in the cloud does create an additional potential vehicle for law enforcement to gain access to period tracking data — for all the good it will do them. All else being equal, using a period tracker that only stores data on device (Euki, Drip) or doesn’t allow for company access (Apple Health on iPhones running iOS 12 with two-factor authentication on your iCloud account) eliminates the risk that police go through third-parties to get your period tracker data.
Data Stored on Device
Data that exists only on your phone can be protected if your phone has strong security and if you do not unlock your phone for police. Most smartphones encrypt nearly all data on the phone while it’s locked. iPhones go further and use special hardware to decrypt data, and use your password as part of the process — which means that police would need to know or guess your password to read the data on your phone. If you have a password that is 8 characters long of random numbers and letters, it is very unlikely to be feasible for police to guess it because of how long it would statistically take to do so. The shorter and more common the password is, the easier it is to guess. A 4-number passcode can be guessed in a matter of minutes!
A very strong password and solid device security can be an actual roadblock to police getting evidence from your phone, and they may simply give up. The Fifth Amendment can legally protect you from having to reveal your password or unlock your phone, but does not necessarily apply to biometric (face ID or fingerprint) passwords, so if you suspect you might be under law enforcement investigation, deactivate biometric log-in options, whether manually or using “panic mode” (iOS/Android).
However, not all phones have good security, and cell phone search tools can actually go around the password on some phones. This includes on lower-end Android phones, but it is hard to say for certain which exact phone models have vulnerabilities, as digital forensics developers like Cellebrite are constantly adding support for more phone models. If you can’t say for sure that your phone has good security, you should absolutely be minimizing the amount of data stored on your phone — with most of your energy going toward not creating and/or deleting “smoking gun” type incriminating evidence, like communications, searches, and email receipts.
Strong security can be foiled by consent-based searches, though, which is when police simply ask you to unlock your phone or give them access to it. Consent searches are extremely common occurrences, in spite of the fact that police are supposed to get a warrant for cell phone data according to Riley v. California. When police get a warrant, they are supposed to only get data that is related to the offense (though this has been difficult to enforce in practice, as Emma told the court in Connecticut v. Smith). In a consent search, police usually get verbal or written confirmation to access a phone, but can then search the entire phone without regards to any limitations you may request (e.g. “only text messages with a specific person from the month of June”). This makes the problem with consent searches two-fold: police don’t have to circumvent your security because you’ve opened your phone for them, and police are not accountable to the requirements of the warrant process, like stating the particular data to be seized. If at all feasible, you should never consent to a search of your phone — though consent searches should be banned outright.
Device Backups
Unfortunately, it’s not quite as simple as local data and data “in the cloud.” If you are relying on storing data locally on your device as a security measure and you would like to avoid any chance that a third-party can hand over your data in a usable format, it’s also a good idea to think about how your data is backed up. Both Android and iOS can be set up to store copies of local phone data remotely, in order to allow for you to restore the contents of your phone if you, say, drop it out a window because you’re trying to level an air conditioner. (Not that that’s ever happened to any of us.)
On Android, backups on phones running standard Google software are encrypted by default in a way that prevents Google from producing data from your period tracker to law enforcement. Your mileage may vary with any other type of backup provider.
On iOS, things are pretty confusing, so bear with us. First, the good news — if you are using Apple Health on iOS 12 or later and using two-factor authentication for your iCloud account, Apple cannot decrypt your information and provide it to law enforcement.
If you are using Euki, in order to keep Apple from having a copy of your period tracking data, you need to make sure that you are only using local backups (by plugging your phone into a computer or external hard drive and saving a copy there), rather than cloud backups, which store a copy on Apple’s servers that they can decrypt and hand over to law enforcement. iOS backs app data up to iCloud by default, so you will want to turn off iCloud backups. (We’re sorry, we know this is incredibly confusing.)
Nonetheless, even using iCloud backups with Euki throws up more roadblocks to law enforcement access than using one of the major third party app vendors. Again, we cannot stress enough that for an average user, this level of in-the-weeds is likely not a proportionate response to the risks involved in period tracking. EFF’s Surveillance Self Defense materials have much more detailed descriptions of all of these concepts, as well as step-by-step instructions for implementing protective measures.
Summing Up
In short, when picking a period tracking app, there are multiple choice points/ways to reduce your risk, even given the relatively low risk of usage of this data to begin with. (Again, we cannot stress enough that this is not something to worry about unless you have your security down for all of the higher risk forms of data.)
- Using an app that only stores data locally (Euki, Drip) or in a form that the app creator cannot access it (Apple Health, in some circumstances) and double checking your backup procedures eliminates law enforcement requests to the company as a vector for information.
- Using an app that stores less information decreases the chances that any information might be used against you in the unlikely event that this data is relevant.
- However, if you are going to use an app where a company has access to your data (Clue, Flo, etc), you will want to make sure that the company will require appropriate legal process in order to gain access to your data, and does not sell it in an identifiable form to third-party brokers. Determining whether that’s true is hard, even for experts like us, which is why it’s often easier to just use one of the local storage options if this is something you are really concerned about.
How could a defense attorney rebut period tracking evidence if offered against a defendant?
First off, our caveats: Just because something is bad evidence does not mean that prosecutors will not attempt to use it. There are all kinds of bad forensic evidence that are regularly used to pressure plea deals by defendants, to get a warrant for additional better evidence, or even introduced at trial. Period tracking data may be relevant if law enforcement actually needs to show when you had your last period. This could be more relevant in states with time-limited abortions; however, the period tracker information is less likely to be used by prosecutors than information that you give a medical provider about your last period date. We have not seen prosecutions of individual abortion-seekers in this context, as opposed to providers, and even in moments of flux, it’s always better to make security decisions based on real risks as opposed to hypothetical ones.
Assuming a person has not explicitly logged their pregnancy in the app, there are a few different ways that law enforcement might try to use period tracker data to infer a pregnancy. The most likely one is the absence of a documented period for an extended period of time, suggesting that a person became pregnant. For most people who are not seeking to become pregnant, the absence of a logged period onset for a duration that exceeds their typical cycle duration could potentially be used to argue that such a person did not have their period due to pregnancy.
There are a lot of other potential explanations for why someone might (appear to) stop using a period tracker app. Consistent with other self-tracking technologies, one of the most likely reasons is simply because a person forgot to use it (Epstein et al., 2015, 2017).
Especially if a person is not actively trying to conceive or concerned about avoiding conception, if they use a period tracker at all they are only likely to use it once every few weeks at most. Even Maggie, someone who has tracked their period using an app for over 5 years, sometimes forgets to enter the onset of their menstruation until several days later. Anyone less dedicated to self-tracking could simply forget for one cycle and log again the next. Another possibility is that a person legitimately has not menstruated in an extended period of time for a reason unrelated to pregnancy (Klein et al., 2019). Reasons other than pregnancy that someone might not menstruate include stress, weight loss, vigorous exercise, eating disorders, autoimmune diseases, contraception, exogenous androgens, menopause, and more.
People also have plenty of reasons for no longer logging their period besides pregnancy, including that they were frustrated by the accuracy of the app and switched to a different one, they started tracking in another way, they found the app creepy or disempowering, they were turned off by the gendered nature of the app, or they stopped tracking using an app entirely (Epstein et al., 2017, Gambier-Ross et al., 2018, Levy and Romo-Avilés, 2019). This could be because they understand their cycle better and do not need an app to help anymore, they changed contraception methods, or their sexual activity has changed. These are all plausible and common reasons for someone to lapse or completely stop using a period tracking app that have nothing to do with becoming pregnant.
One potential concern for users might be if period tracker data shows that a user opened the app, but did not log anything. Apps like Euki and Drip that gather minimal data may be safer for this reason. However, there are many reasons why a user might do this that don’t have anything to do with pregnancy, including confirming the date of their last period (whether for themselves or to share with a healthcare provider), and to look up information about a past cycle or symptoms, idle curiosity, or even by accident.
All this is to say that if there was a prosecutor who thought that period tracker data was good proof of pregnancy/the ending of pregnancy, their case is going to be very vulnerable to cross-examination from a defense attorney and/or a dueling expert who can explain about how period tracking is not a particularly great evidence of pregnancy. (If you’re a defense attorney and you need to learn more about what research says about period tracking, feel free to drop us a line! We’re happy to help or find someone for you.)
Conclusion
An astute reader may be wondering why we don’t suggest not logging periods at all if there’s the slightest chance that period tracking data might be used against a person for terminating a pregnancy. After all, many experts have said to “delete your period tracker.”
The first reason is that we want folks to make the right choices for them. In the words of Lorelei Lee, a sex worker advocate and expert on criminalization, “there is no such thing as perfect safety, there is only harm reduction. There are real barriers to following every single data privacy protocol or harm reduction tactic. Sometimes other needs must be put ahead of safety.” That is, all decisions about what steps to take to reduce the risk of law enforcement involvement or successful prosecution have to be weighed against the costs that individuals incur by not being able to track their periods. For some people, period tracking might be an idle habit, not of any particular importance, and giving it up may be easy. But for others, period tracking might be vital for monitoring symptoms of a medical condition or making sure that they are able to take appropriate mental health steps. Telling people to delete their period trackers ignores the real differences between people and their appropriate risk models.
Second, we want to, in the words of Our Data Bodies/Stop LAPD Spying (also quoted in Cynthia Conti-Cook’s excellent article) “build power, not paranoia.” Advocating to ban consent searches of cell phones is honestly a far more useful, networked, wide reaching intervention than deleting a period tracker. Putting the energy in to move group chats to Signal before you need them to be secure is a better idea than trying to figure out whether Stardust somehow managed to build a safe app for abortion seekers (they didn’t.) There’s a ton we could all do to keep our communities safe — there’s no need to concentrate a ton of attention on something that is unlikely to make a meaningful difference. Often, increasing the cost of law enforcement access can result in less harm to folks who are under the threat of criminalization.
So no, you don’t need to delete your period tracker. The risk related to it comes if law enforcement is already investigating you, and pales in comparison to other forms of digital evidence. Also, period tracking records are bad digital evidence, open to a number of different interpretations and easy to rebut with expertise. Instead, take the steps that matter more: if you are able, donate to an abortion fund, put a strong passcode on your phone, and don’t consent to the search of your device, or generally, talk to cops.
References
K. Bridges, Reproducing Race: An Ethnography of Pregnancy as a Site of Racialization. 2011.
C. Conti-Cook, “Surveilling the Digital Abortion Diary,” University of Baltimore Law Review, vol. 50, no. 1, Oct. 2020, [Online]. Available: https://scholarworks.law.ubalt.edu/ublr/vol50/iss1/2
D. A. Epstein, A. Ping, J. Fogarty, and S. A. Munson, “A lived informatics model of personal informatics,” in Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, New York, NY, USA, Sep. 2015, pp. 731–742. doi: 10.1145/2750858.2804250.
D. A. Epstein et al., “Examining Menstrual Tracking to Inform the Design of Personal Informatics Tools,” in Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, New York, NY, USA, May 2017, pp. 6876–6888. doi: 10.1145/3025453.3025635.
K. Gambier-Ross, D. J. McLernon, and H. M. Morgan, “A mixed methods exploratory study of women’s relationships with and uses of fertility tracking apps,” DIGITAL HEALTH, vol. 4, p. 2055207618785077, Jan. 2018, doi: 10.1177/2055207618785077.
M. Goodwin, Policing the Womb: Invisible Women and the Criminalization of Motherhood. Cambridge: Cambridge University Press, 2020. doi: 10.1017/9781139343244.
D. A. Klein, S. L. Paradise, and R. M. Reeder, “Amenorrhea: A Systematic Approach to Diagnosis and Management,” afp, vol. 100, no. 1, pp. 39–48, Jul. 2019.
Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, and Harlan Yu, “Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones,” Oct. 2020. Accessed: Jun. 28, 2022. [Online]. Available: https://www.upturn.org/static/reports/2020/mass-extraction/files/Upturn%20-%20Mass%20Extraction.pdf
J. Levy and N. Romo-Avilés, “‘A good little tool to get to know yourself a bit better’: a qualitative study on users’ experiences of app-supported menstrual tracking in Europe,” BMC Public Health, vol. 19, p. 1213, Sep. 2019, doi: 10.1186/s12889–019–7549–8.
L. J. Reagan, When Abortion Was a Crime: Women, Medicine, and Law in the United States, 1867–1973, with a New Preface. 2022.
